Jim Kohlenberger:
When Personal Data is Under Attack, Strong Encryption Can Help Protect It

This op-ed was originally published in Newsweek.

As hackers become increasingly sophisticated, they are targeting our personal data and stealing it at unprecedented rates. As a result, too many of us have received notices telling us our data has been breached and is likely in criminal hands. That data likely wasn’t stolen from your personal device but taken from a third party like your health provider, a school, or an online store.

Unfortunately, these breaches can upend people’s lives. In March 2023, for example, hackers released highly sensitive personal information on 200,000 children from Minneapolis schools. It included the private details of campus rape cases, child abuse inquiries, student mental health crises, and suspension reports. Following another breach impacting tens of thousands of residents in Oakland, California, one victim explained he is now “living through a financial nightmare” after bad actors used data to rack up fraudulent charges and purchase a new home in his name. These aren’t just tragic, but widespread. According to a Pew Research Center survey on privacy and data breaches, with more personal data falling into the wrong hands, “a quarter of Americans (26%) say someone put fraudulent charges on their debit or credit card in the last 12 months.”

While basic cyber hygiene can protect against 99% of attacks, only about half of users follow these practices, according to my organization’s survey. We all need to do better. But what if our data could be protected even if it is stolen by scrambling it in a way so no one but you can read or make use of it? End-to-end encryption is a tool that helps you protect your personal data from snooping eyes by making it unreadable and unusable to anyone except the specific people and devices that it’s intended for. It’s designed so that no technology provider, third party, or middleman has access to your key or the ability to unlock or read your data — whether it’s in transit or stored. For them, the data just looks like digital gibberish.

This data-protecting super-power is why encryption has emerged as perhaps the most powerful and effective tool we have for protecting personal privacy, safety and security. Think about it. Every day, we trust browsers, services and devices that utilize end-to-end encryption to keep our data safe from hackers, fraudsters and criminals. We rely upon the broad adoption of end-to-end encryption in our browsers when we log into a website, to protect our credit card numbers when purchasing something online, and every time we use our face, fingerprint, or passcode to protect the data on our phones in case they are lost or stolen. Increasingly, we also rely on encryption to protect the content of messages — so that only the sender and intended recipient can read it. But with 82% of data breaches now involving the cloud, it’s time we take the next step to make end-to-end encryption options for cloud services more ubiquitous too.

The good news: last year we saw some major wins for consumers as more companies began extending their use of end-to-end encryption to the cloud. They announced new steps to protect your phone’s personal data when it is stored in iCloud, when communicating using the cloud-based Messenger app, or when using cloud based e-mail services like Gmail — together creating near bullet-proof data protections for hundreds of millions of users.

However, end-to-end encryption in cloud services is still nascent. Most cloud data is still stored in ways that make it easily accessible to service providers, and thus to hackers too. For example, while 39% of businesses surveyed experienced a data breach in their cloud environment in 2022, only about 45% of the sensitive data they store in the cloud is encrypted. One study shows this lack of encryption has become the primary contributor to sensitive data loss. As MIT professor Dr. Stuart Madnick explains, “As long as organizations worldwide continue to store troves of valuable personal data in unencrypted form in the cloud, individuals remain at risk of having their personal data stolen, exploited, and exposed.”

It’s clear we need to do more to expand encryption’s use, and consumers agree. Trusted Future’s health survey found 52% of consumers say they are more likely to trust technology when their data is backed up and stored in an encrypted way (with a ‘lock box’) where only they have the key to unlock it.

Despite efforts to expand adoption, proposals are nonetheless springing up around the world that would instead remove the “lock” from the “lock box,” effectively outlaw the use of end-to-end encryption, and put the personal security of billions of people at risk. Specifically, policymakers in Australia, the UK, the EU, and the U.S. are considering proposals that would stall, stifle, and even stop the deployment of the strong encryption necessary to keep data safe. While aimed at well-meaning goals to more comprehensively detect child abuse and terrorist content, experts explain these proposals require the service provider to retain encryption keys for user data in order to scan and read personal data — fundamentally undermining data security for everyone.

The underlying issues these policymakers are trying to address are important. Law enforcement needs the ability to prosecute crimes within the law, and we absolutely need to be doing more to protect children online. But there are bettersmarter, and more effective ways to tackle these important issues without fundamentally undermining one of the most powerful and essential security technologies used to keep your digital data safe. In fact, many consumers say they want policymakers to reject efforts that have the effect of weakening strong encryption.

To advance a more trusted future, it’s time we up our encryption game. Following a tsunami of data breaches that exposed a record 2.6 billion personal records in just the last two years alone, we need to protect the integrity of our personal data even if hackers gain access by encouraging organizations everywhere to adopt the strongest forms of encryption. It’s a vital new privacy imperative.